News August 1999
Most of the links lead to the corresponding files at CERT or other organisations. So
changes take place immediately, especially which patches should be installed or which
changes in the configuration should be made to avoid this vulnerability. Most of the files
are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used
platform or program that doesn't mean this particular platform or program is safe to use!
| System: | Short description and further information: | ||||||||||||||||||||||||||||||||||||||||||||
| WU-FTPD Development Group | Security risk in wu-ftpd: J-065, ERS-1999.122 Due to insufficient bounds checking on directory name lengths which can be supplied by users, it is possible to overwrite the static memory space of the wu-ftpd daemon while it is executing under certain configurations. By having the ability to create directories and supplying carefully designed directory names to the wu-ftpd, users may gain privileged access. The latest version of wu-ftpd is 2.5.0; sites running earlier versions should upgrade to this version as soon as possible. The new version is available now. |
||||||||||||||||||||||||||||||||||||||||||||
| Red Hat Linux | Buffer overflow in cron daemon and wu-ftpd:
RH1999-030, RH1999-031, ERS-1999.121 Buffer overflows exist in crond, the cron daemon, and the wu-ftpd. This could allow local users to gain privilege. Patches should be installed: Red Hat Linux 4.2: Intel: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie-cron-3.0.1-37.i386.rpm rpm -Uvh ftp://updates.redhat.com/4.2/i386/wu-ftpd-2.5.0-5.6.0.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixie-cron-3.0.1-37.alpha.rpm rpm -Uvh ftp://updates.redhat.com/4.2/alpha/wu-ftpd-2.5.0-5.6.0.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixie-cron-3.0.1-37.sparc.rpm rpm -Uvh ftp://updates.redhat.com/4.2/sparc/wu-ftpd-2.5.0-5.6.0.sparc.rpm Source: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixie-cron-3.0.1-37.src.rpm rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/wu-ftpd-2.5.0-5.6.0.src.rpm Red Hat Linux 5.2: Intel: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie-cron-3.0.1-37.i386.rpm rpm -Uvh ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.5.0-5.6.0.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixie-cron-3.0.1-37.alpha.rpm rpm -Uvh ftp://updates.redhat.com/5.2/alpha/wu-ftpd-2.5.0-5.6.0.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixie-cron-3.0.1-37.sparc.rpm rpm -Uvh ftp://updates.redhat.com/5.2/sparc/wu-ftpd-2.5.0-5.6.0.sparc.rpm Source: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixie-cron-3.0.1-37.src.rpm rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/wu-ftpd-2.5.0-5.6.0.src.rpm Red Hat Linux 6.0: Intel: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie-cron-3.0.1-37.i386.rpm rpm -Uvh ftp://updates.redhat.com/6.0/i386/wu-ftpd-2.5.0-5.6.0.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixie-cron-3.0.1-37.alpha.rpm rpm -Uvh ftp://updates.redhat.com/6.0/alpha/wu-ftpd-2.5.0-5.6.0.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixie-cron-3.0.1-37.sparc.rpm rpm -Uvh ftp://updates.redhat.com/6.0/sparc/wu-ftpd-2.5.0-5.6.0.sparc.rpm Source: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixie-cron-3.0.1-37.src.rpm rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/wu-ftpd-2.5.0-5.6.0.src.rpm |
||||||||||||||||||||||||||||||||||||||||||||
| Solaris 2.3 - 7 (SPARC and x86), SunOS 4.1.4 and 4.1.3_U1 | Vulnerability in rpc.cmsd: Sun Security Bulletin #00188,
ERS-1999.120,
S-99-29 The rpc.cmsd is a small database manager for appointment and resource-scheduling data. Its primary client is Calendar Manager in OpenWindows, and Calendar in CDE. A buffer overflow vulnerability has been discovered which may be exploited to execute arbitrary instructions and gain root access. Sun Microsystems provides patches against this vulnerability:
|
||||||||||||||||||||||||||||||||||||||||||||
| Microsoft Java VM | "Virtual Machine Sandbox" Vulnerability: MS99-031, ERS-1999.119 The Microsoft VM is a virtual machine for the Win32 operating environment. It runs atop Microsoft Windows 9x or NT. It ships as part of each operating system, and also as part of Microsoft Internet Explorer. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox and take any desired action on the user's computer. If such an applet were hosted on a web site, it could act against the computer of any user who visited the site. Microsoft provides a patch for this vulnerability. |
||||||||||||||||||||||||||||||||||||||||||||
| Netscape Enterprise and FastTrack Web Servers | Buffer Overflow in httpd: ISS-037, J-062, ERS-1999.118 There is a vulnerability in the versions Enterprise 3.6sp2 and FastTrack 3.01. An attacker can send the web server an overly long HTTP GET request, overflowing a buffer in the Netscape httpd service and overwriting the process's stack. This allows a sophisticated attacker to force the machine to execute any program code that is sent. It's possible to use this vulnerability to execute arbitrary code as SYSTEM on the server, giving an attacker full control of the machine. Netscape provides a patch for this vulnerability. |
||||||||||||||||||||||||||||||||||||||||||||
| Oracle 8.x | Additional Root Compromise Vulnerabilities by dbsnmp: ISS-036, ERS-1999.117 The Intelligent Agent binary, 'dbsnmp' is a setuid root executable. The Intelligent Agent is a host-based agent that can be used to monitor, configure, and maintain remote database instances with the Oracle Enterprise manager. The Intelligent Agent is part of the Oracle distribution.Local attackers may use these vulnerabilities to execute arbitrary commands as root, as well as create root-owned world-writable files anywhere on the file system. If remote database administration with the Intelligent Agent is not required, the setuid bit on the 'dbsnmp' binary should be removed. As root, execute the following command: # chmod 755 $ORACLE_HOME/bin/dbsnmp Oracle provides a patch and faq for this vulnerability. |
||||||||||||||||||||||||||||||||||||||||||||
| Oracle 8.x | Root Compromise Vulnerabilities: ISS-035, ERS-1999.116 There are vulnerabilities in superuser owned executables that may allow local root compromise. Attackers may uses these vulnerabilities to create, destroy, or modify any file on the system, including files owned by the superuser. This attack may be particularly useful to gain complete control of the database system, to manipulate Oracle database files, or to deny service. Oracle provides a patch for this vulnerability. |
||||||||||||||||||||||||||||||||||||||||||||
| Lotus Notes Domino Server 4.6 | Denial of Service Attack via Notes LDAP Service: ISS-034, J-061, ERS-1999.115,
S-99-32 Lotus Domino Server is an integrated messaging and web application server. An attacker can crash the Lotus Notes Domino server and stop e-mail and other services that Domino provides for an organization. There is an overflow problem in the Notes LDAP Service (NLDAP); the service that handles the LDAP protocol. This overflow is related to the way that NLDAP handles the ldap_search request. By sending a large amount of data to the parameter in the ldap_search request, an attacker can cause a PANIC in the Domino Server. This will allow an attacker to stop all Domino services running on the affected machine. It's recommended to upgrade to Maintenance release 4.6.6 or 5.0. |
||||||||||||||||||||||||||||||||||||||||||||
| CiscoSecure Access Control Server | Vulnerability in CiscoSecure ACS for UNIX Remote
Administration: Cisco,
ERS-1999.114 In CiscoSecure Access Control Server (CiscoSecure ACS) for UNIX, versions 1.0 through 2.3.2, there is a database access protocol that could permit unauthorized remote users to read and write the server database without authentication. Depending on the network environment, this might permit unauthorized users to modify the access policies enforced by the CiscoSecure ACS. A utility that is capable of using this protocol to read or modify a database is shipped with the CiscoSecure ACS product. This vulnerability can be eliminated by either a CiscoSecure configuration change, or network configuration change. Cisco has provided a new release (2.3.3) that changed a default setting, in order to ensure higher default security level. |
||||||||||||||||||||||||||||||||||||||||||||
| Microsoft ODBC Jet Engine | Office and ODBC - vulnerability: MS99-030, ERS-1999.112,
J-060, S-99-30 Microsoft has released a patch that eliminates security vulnerabilities in the Microsoft(r) Jet database engine. The vulnerabilities could affect any application that runs atop Jet, and could allow a database query to take virtually any action on a user's computer. Microsoft recommends that all customers who are running applications that use Jet, especially users of Microsoft Office97 and Office2000, install the patch. |
||||||||||||||||||||||||||||||||||||||||||||
| Red Hat Linux | Vulnerabilities in libtermcap tgetent
and in.telnetd: RH1999028, RH1999029, ERS-1999.111,
ERS-1999.113 |
||||||||||||||||||||||||||||||||||||||||||||
| C Set ++ for AIX | Vulnerability in IBM C Set ++ for AIX Source Code Browser:
ERS-1999.03i,
J-059, S-99-28 A buffer overflow vulnerability has been discovered in the Source Code Browser's Program Database Name Server Daemon (pdnsd) of versions 2 and 3 of IBM's C Set ++ for AIX. This vulnerability allows local and remote users to gain root access. IBM C Set ++ for AIX versions 2 and 3 are no longer supported and no Patch will be issued. Instead, an upgrade should be done. |
||||||||||||||||||||||||||||||||||||||||||||
| All | New ISS-Summary: ISS ISS reports 8 new vulnerabilies within the last 2 weeks: - irdp-gateway-spoof - http-iis-malformed-header - netbsd-profil - nt-terminal-dos - frontpage-pws-dos - sun-stdcm-convert - exchange-relay - gauntlet-dos Further information can be found at the server of ISS. |
||||||||||||||||||||||||||||||||||||||||||||
| Gauntlet Firewall 5.0 | Denial-of-Service by ICMP-Packets: Bugtraq Network Associates Gauntlet Firewall contains a vulnerability that would allow a remote attacker to crash the firewall by sending a specifically constructed ICMP packet through the machine to a known IP inside the firewall. |
||||||||||||||||||||||||||||||||||||||||||||
| Solaris 2.6 | stdcm_convert (CDE) vulnerability: Bugtraq A vulnerability exists in stdcm_convert, which is a program shipped with CDE and packaged with Solaris 2.6. A local user could create a symbolic link of the tmp file created by stdcm_convert and point it to any file on the system. This would overwrite the file and make it writable by the user. This could lead to a local root compromise. |
||||||||||||||||||||||||||||||||||||||||||||
| Windows 9x, Solaris, SunOS |
DHCP gateway-spoof: L0pht, ERS-1999.109 Systems configured for DHCP obtain their default gateway information, along with other configuration parameters, when they first contact the network's DHCP server. When dynamically configured through DHCP, it has been shown to be possible to remotely change the default gateway of certain systems, including Sun Solaris and SunOS as well as Windows 9x, by manipulating the systems with ICMP Router Advertisement messages. An attacker could therefore cause a system to direct its network traffic through a system of their choice, opening up man-in-the-middle, monitoring and denial of service attacks. Here you can find an example for this vulnerabilty. |
||||||||||||||||||||||||||||||||||||||||||||
| Microsoft IIS, Site Server, and Commerce Internet Server | Denial-of-Service by Malformed HTTP Request Header: MS99-029, ERS-1999.108,
J-058 Web server using Microsoft's Internet Information Server 4.0 as their web engine are vulnerable against a DoS-Attack. If multiple HTTP requests containing specially-malformed headers are sent to an affected server, IIS may consume all memory on the server. As a consequence, in most cases the IIS has to be stopped and restarted. Microsoft has published a fix for the X86 version and the Alpha version. If the log file is exactly a multiple of 64kB, the server may also hang. In this case, it will restart properly with a clean log file. |
||||||||||||||||||||||||||||||||||||||||||||
| NetBSD | Vulnerability in profil(2): NetBSD-11, ERS-1999.107 A wrapper program can be constructed by a local user that can modify the internal data space of a program it execve(2)'s in a partially predictable way, including setuid root binaries, exploiting a hole in profil. It's recommended to upgrade to NetBSD 1.4.1, or NetBSD-current. A patch is described in the advisory. |
||||||||||||||||||||||||||||||||||||||||||||
| Debian Linux | Risks found in samba, cfingerd, and isdnutils:
Debian0804, Debian0806, Debian0807 The version of samba as distributed in Debian GNU/Linux 2.1 has a couple of security problems, so it's recommended to install version 2.0.5a-1 of samba. The link for getting the upgrade is pointed out in the advisory. Due to a buffer overflow in older versions of cfingerd it's recommended not to use Debian prior to 2.0 or cfingerd versions prior to 1.3.2-9 any more. Xmonisdn was incorrectly installed suid root. The current package assigns dialout group privilages instead, a link can be found in the advisory. |
||||||||||||||||||||||||||||||||||||||||||||
| OpenBSD | Vulnerabilities in /etc/rc, IPSec, and profil:
OpenBSD Exploiting a hole in /etc/rc allows it users to rewrite the motd. Packets that should have been handled by IPsec may be transmitted as cleartext and a hole in profil(2) was found. It's recommended to install the patches for rc, IPSec, and profil. |
||||||||||||||||||||||||||||||||||||||||||||
| MS NT Server 4.0, Terminal Server Edition | Denial of Service against NT Terminal Server: MS99-028, ERS-1999.106,
ISS-033, J-057, S-99-26 When a request to open a new terminal connection is received by a Terminal Server, the server undertakes a resource-intensive series of operations to prepare for the connection. It does this before authenticating the request. This would allow an attacker to mount a denial of service attack by levying a large number of bogus connection requests and consuming all memory on the Terminal Server. This vulnerability could be exploited remotely if connection requests are not filtered. It's recommended to install the hotfix published by Microsoft. |
||||||||||||||||||||||||||||||||||||||||||||
| MS Exchange Server 5.5 | Exchange Server as Mail-Relay: MS99-027, J-056, S-99-27,
ERS-1999.105 Exchange Server implements features designed to defeat "mail relaying", a practice in which an attacker causes an e-mail server to forward mail from the attacker, as though the server were the sender of the mail. However, a vulnerability exists in this feature, and could allow an attacker to circumvent the anti-relaying features in an Internet-connected Exchange Server. The vulnerability lies in the way that site-to-site relaying is performed via SMTP. Encapsulated SMTP addresses could be used to send mail to any desired e-mail address. A hotfix eliminates this vulnerability. |
||||||||||||||||||||||||||||||||||||||||||||
| All | New ISS-Summary: ISS ISS reports 8 new vulnerabilies within the last 2 weeks: - gauntlet-dos - nt-malformed-dialer - 3com-hiper-comm-name - tiger-script-execute - sgi-arrayd - amavis-command-execute - bsd-shared-memory-dos - netware-ipx-session-spoof Further information can be found at the server of ISS. |
||||||||||||||||||||||||||||||||||||||||||||
Back to the News
© 1999 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: 1999-09-14, 15:24 +0200